|
|
Note: For more information about configuring TLS, see Trustwave Knowledge Base article Q11636. |
9.13 Securing Email Communications
You can use MailMarshal to secure incoming and outgoing email communications. MailMarshal allows you to decide where and under what conditions you want to use TLS. Setting up TLS involves three tasks:
1.Creating or importing a TLS Certificate
2.Enabling TLS for mail incoming to MailMarshal
3.Enabling TLS for mail outbound from MailMarshal.
|
|
Note: For more information about configuring TLS, see Trustwave Knowledge Base article Q11636. |
When TLS is configured, you can use rules to take action on incoming messages based on the use of TLS and details of the SSL certificate used by the remote server.
9.13.1 Working with Certificates
Each MailMarshal server using TLS makes its secure status public using a certificate. MailMarshal stores TLS Certificates on each server. For each MailMarshal server with which you want to use TLS, you must generate or obtain an authentication certificate. To perform these tasks, use the TLS Certificate Wizard.
Certificates have expiration dates. Starting two weeks before a certificate expires, MailMarshal sends a daily renewal reminder email to the MailMarshal administrator.
The TLS Certificate Wizard allows you to perform the following tasks:
•Generate a Certificate Signing Request (CSR) that you submit to a third-party certificate authority
•Import X.509 and PKCS#7 key-certificate backup files supplied by a certificate authority
•Generate self-signed certificates
•Save server-specific key-certificate pairs as PKCS#12 files
•Import PKCS#12 files
To create or manage certificates:
1.In the left pane of the Management Console, expand Mail Servers.
2.In the right pane listing of servers, edit the MailMarshal server for which you want to configure TLS.
3.Click Inbound Security (TLS).
4.Click TLS Certificate Wizard.
5.Enter the required information on each tab to complete the certificate task you are performing. For more information about the workflow and the fields on each tab, click Help.
6.On the server pane, click Save.
9.13.2 Securing Inbound Communications
Using TLS is optional for incoming email. You can enable or disable TLS, and set the minimum required cipher strength for inbound connections. You can enable Perfect Forward Secrecy (PFS) by selecting an Elliptic Curve to be used for key exchange.
MailMarshal requires you to set incoming email TLS configuration on each email processing server in an array. Repeat the following task for each email processing server.
To enable TLS for inbound connections on a MailMarshal email processing server:
1.In the left pane of the Management Console, expand Mail Servers.
2.In the right pane, select Servers and then select the name of the email processing server for which you want to configure TLS.
3.Click Inbound Security (TLS).
4.Specify the appropriate values. For more information about the options, click Help.
|
|
Note: The Enable TLS option is available only when a valid certificate is installed on the server. |
5.On the server pane, click Save.
6.Commit configuration changes.
When a message is received with TLS, the Received: header line is marked with the version of TLS and the cipher used. For instance:
Received: from client03 (Not Verified[127.0.0.1]) by vm-example03 with Trustwave SEG (v10,0,662,1) (using TLS: TLSv1, AES128-SHA).
You can use Connection or Content Analysis rules to take action based on the TLS status, the TLS protocol that was used, and the SSL certificate that was used. You can choose to classify, accept, reject, or quarantine messages depending on the information encoded in the certificate. You can check the validity date, permitted certificate use, certificate domain, trust, and revocation status. For full details of the available options, see Help for the Rule Condition “Where the TLS client certificate matches criteria.”
|
|
Note: Ensure that the processing servers can connect to Internet locations using HTTP and HTTPS. This access is required for checking of Certificate Revocation Lists. You can use a proxy server for web access if required; see “Customizing Settings for Nodes”. |
9.13.3 Securing Outbound Communications
Using TLS is optional for outgoing email. You can enable TLS, require TLS for specific domains, set the minimum cipher strength, and choose whether to offer a client certificate when requested by a remote server. Outbound TLS uses Perfect Forward Secrecy (PFS) if advertised by the remote server.
MailMarshal applies the TLS configuration for outbound email across all email processing servers in the array.
To enable TLS for outbound email:
1.In the left pane of the Management Console, click System Configuration.
2.In the right pane, expand Sender Properties > Outbound Security (TLS).
3.Specify the appropriate values. For more information about the options, click Help.
4.On the server pane, click Save.
5.Commit configuration changes.
When a message is sent using TLS, MailMarshal classifies the message as “Delivered successfully over TLS.” You can review this information in the Console, and report on it using Marshal Reporting Console.
|
|
Note: You can also require delivery over TLS based on rule conditions. See the rule action “Deliver the mail via TLS only”. |
